Merge tag 'linux-can-fixes-for-6.1-20221207' of git://git.kernel.org/pub/scm/linux...

Marc Kleine-Budde says:

====================
pull-request: can 2022-12-07

The 1st patch is by Oliver Hartkopp and fixes a potential NULL pointer
deref found by syzbot in the AF_CAN protocol.

The next 2 patches are by Jiri Slaby and Max Staudt and add the
missing flush_work() before freeing the underlying memory in the slcan
and can327 driver.

The last patch is by Frank Jungclaus and target the esd_usb driver and
fixes the CAN error counters, allowing them to return to zero.

* tag 'linux-can-fixes-for-6.1-20221207' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
  can: esd_usb: Allow REC and TEC to return to zero
  can: can327: flush TX_work on ldisc .close()
  can: slcan: fix freed work crash
  can: af_can: fix NULL pointer dereference in can_rcv_filter
====================

Link: https://lore.kernel.org/r/20221207105243.2483884-1-mkl@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index 2479be3..937cb22 100644 (file)
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -833,10 +833,13 @@ static void mv88e6xxx_get_caps(struct dsa_switch *ds, int port,
 
        chip->info->ops->phylink_get_caps(chip, port, config);
 
-       /* Internal ports need GMII for PHYLIB */
-       if (mv88e6xxx_phy_is_internal(ds, port))
+       if (mv88e6xxx_phy_is_internal(ds, port)) {
+               __set_bit(PHY_INTERFACE_MODE_INTERNAL,
+                         config->supported_interfaces);
+               /* Internal ports with no phy-mode need GMII for PHYLIB */
                __set_bit(PHY_INTERFACE_MODE_GMII,
                          config->supported_interfaces);
+       }
 }
 
 static void mv88e6xxx_mac_config(struct dsa_switch *ds, int port,

diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
index e104fb0..aa0d2f3 100644 (file)
--- a/drivers/net/ethernet/aeroflex/greth.c
+++ b/drivers/net/ethernet/aeroflex/greth.c
@@ -258,6 +258,7 @@ static int greth_init_rings(struct greth_private *greth)
                        if (dma_mapping_error(greth->dev, dma_addr)) {
                                if (netif_msg_ifup(greth))
                                        dev_err(greth->dev, "Could not create initial DMA mapping\n");
+                               dev_kfree_skb(skb);
                                goto cleanup;
                        }
                        greth->rx_skbuff[i] = skb;

diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
index cacd454..c39b866 100644 (file)
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
@@ -132,6 +132,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
                                                 DMA_TO_DEVICE);
        if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) {
                dev_err(dev, "DMA mapping failed\n");
+               kfree(cmd_buff);
                return -EFAULT;
        }
 
@@ -142,6 +143,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
                         DMA_TO_DEVICE);
        if (err) {
                dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err);
+               kfree(cmd_buff);
                return err;
        }
 
@@ -172,6 +174,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block,
                                                 DMA_TO_DEVICE);
        if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) {
                dev_err(dev, "DMA mapping failed\n");
+               kfree(cmd_buff);
                return -EFAULT;
        }
 
@@ -182,6 +185,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block,
                         DMA_TO_DEVICE);
        if (err) {
                dev_err(dev, "dpsw_acl_remove_entry() failed %d\n", err);
+               kfree(cmd_buff);
                return err;
        }
 

diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 450b16a..e1a569b 100644 (file)
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -885,7 +885,7 @@ static int ca8210_spi_transfer(
 
        dev_dbg(&spi->dev, "%s called\n", __func__);
 
-       cas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC);
+       cas_ctl = kzalloc(sizeof(*cas_ctl), GFP_ATOMIC);
        if (!cas_ctl)
                return -ENOMEM;
 

diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c
index c69b87d..edc769d 100644 (file)
--- a/drivers/net/ieee802154/cc2520.c
+++ b/drivers/net/ieee802154/cc2520.c
@@ -970,7 +970,7 @@ static int cc2520_hw_init(struct cc2520_private *priv)
 
                if (timeout-- <= 0) {
                        dev_err(&priv->spi->dev, "oscillator start failed!\n");
-                       return ret;
+                       return -ETIMEDOUT;
                }
                udelay(1);
        } while (!(status & CC2520_STATUS_XOSC32M_STABLE));

diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c
index 9327621..d022206 100644 (file)
--- a/drivers/net/xen-netback/rx.c
+++ b/drivers/net/xen-netback/rx.c
@@ -92,7 +92,7 @@ void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
                struct net_device *dev = queue->vif->dev;
 
                netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
-               kfree_skb(skb);
+               dev_kfree_skb_irq(skb);
                queue->vif->dev->stats.rx_dropped++;
        } else {
                if (skb_queue_empty(&queue->rx_queue))

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 500ed1b..7e2065e 100644 (file)
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -662,6 +662,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
        sdata->dev = ndev;
        sdata->wpan_dev.wpan_phy = local->hw.phy;
        sdata->local = local;
+       INIT_LIST_HEAD(&sdata->wpan_dev.list);
 
        /* setup type-dependent data */
        ret = ieee802154_setup_sdata(sdata, type);

diff --git a/net/tipc/node.c b/net/tipc/node.c
index b48d97c..49ddc48 100644 (file)
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1689,6 +1689,7 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
        struct tipc_node *n;
        struct sk_buff_head xmitq;
        bool node_up = false;
+       struct net *peer_net;
        int bearer_id;
        int rc;
 
@@ -1705,18 +1706,23 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
                return -EHOSTUNREACH;
        }
 
+       rcu_read_lock();
        tipc_node_read_lock(n);
        node_up = node_is_up(n);
-       if (node_up && n->peer_net && check_net(n->peer_net)) {
+       peer_net = n->peer_net;
+       tipc_node_read_unlock(n);
+       if (node_up && peer_net && check_net(peer_net)) {
                /* xmit inner linux container */
-               tipc_lxc_xmit(n->peer_net, list);
+               tipc_lxc_xmit(peer_net, list);
                if (likely(skb_queue_empty(list))) {
-                       tipc_node_read_unlock(n);
+                       rcu_read_unlock();
                        tipc_node_put(n);
                        return 0;
                }
        }
+       rcu_read_unlock();
 
+       tipc_node_read_lock(n);
        bearer_id = n->active_links[selector & 1];
        if (unlikely(bearer_id == INVALID_BEARER_ID)) {
                tipc_node_read_unlock(n);